cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3056
Views
20
Helpful
5
Replies

ISE RADIUS device administration with HP ProCurve switches

Bogieboogi1
Level 1
Level 1

For a customer PoC I have a pair of ISE installed and have added several network devices (e.g Cisco, Arista, F5, Aruba, and HP) for device administration where some are administrated viaTACACS+ and some over RADIUS. The goal here is to replace an old ACS system and an old RADIUS Server (FREE-RADIUS).

 

My particular issue is currently the HP switches. I have set up all necessary attributes and settings on the ISE, like for the other vendors. But on the HP I not getting any success. 

 

On the ISE I see the authentication, authorization steps with full success, but the switch tells me permission denied, which is wired. On the old RADIUS system (FREE_RADIUS), my customer is using the Cisco attributes for all HP switches and it works fine there.

 

I found out if I'm leaving out the "aaa authentication login privilege-mode"  command, the given attributes on the ISE seems to work. But I will have to authenticate one time for the level 0  and then again for the enable mode level 15  which I want to avoid and is not used on my customer's environment. 

 

 

 

Here an extract of the switch configuration:

 

radius-server host xx.xx.xxx.xx key xxxxxxxxx acct-port 1646 auth-port 1645
radius-server host xx.xx.xx.xx key xxxxxxxxxx acct-port 1646 auth-port 1645

aaa accounting update periodic 1
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

 

 

Attributes I have used and tried:

 

Authorisation_Cisco_SW.PNGAuthorisation_HP_Radius.PNG

2 Accepted Solutions

Accepted Solutions

Have you tried 'roles=' instead of 'roles*'? Also, you could try with single role 'shell:roles=network-admin' instead and see if it gives any hints.

View solution in original post

I finally find a solution. Changed the equal sign to the star which has helped and added and IETF attribute service-type=6.

This finally helped and now it is working as expected.

 

 

Access Type = ACCESS_ACCEPT
Service-Type = 6
cisco-av-pair = shell:priv-lvl=15
cisco-av-pair = shell:roles*"network-admin vdc-admin\"

 

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

Do you have list of attributes the FreeRADIUS us sending back? I would match exactly how it is setup on FreeRADIUS. Also, packet capture of what is being sent back from FreeRADIUS would work as well.

I did exactly the same as you proposed.

 

That are a dump from the FREE-RADIUS

 

 

 

attributes.png

Have you tried 'roles=' instead of 'roles*'? Also, you could try with single role 'shell:roles=network-admin' instead and see if it gives any hints.

I finally find a solution. Changed the equal sign to the star which has helped and added and IETF attribute service-type=6.

This finally helped and now it is working as expected.

 

 

Access Type = ACCESS_ACCEPT
Service-Type = 6
cisco-av-pair = shell:priv-lvl=15
cisco-av-pair = shell:roles*"network-admin vdc-admin\"

 

Appreciate posting working configuration. Thanks.